Homeworking, data protection and cyber security risks in a Covid-19 world

Not that it’s ever had popularity status among the business community, but the word ‘GDPR’ seems, well, frankly almost inappropriate to mention right now.

For many businesses, continued compliance with it, and any kind of compliance monitoring, is a fair way down the list of priorities when compared with cashflow preservation, premises/rent management and ensuring the safety and payment of our much-valued staff.

However, the law remains in place, even now.

And with staff working remotely (often using their own kit, not work-provided equipment), it's more of a challenge now than ever to manage personal data and our legal obligations to keep it secure, to collect only what we absolutely need, and to be responsible about what we share.

Cyber security is just as much of a risk as ever, too, and a mass global shift to homeworking means that more people and their devices may be affected as cybercriminals take advantage of the global need to communicate on Covid-19.

The National Cyber Security Centre reported a 400% increase in coronavirus-related fraud reports in March.

---

There’s a helpful checklist of essential things to cover later on in this blog.

---

Reassuringly, it’s a sensible one.

The UK’s data protection regulator, the Information Commissioner’s Office (ICO) has issued supportive, pragmatic guidance that it will take a proportionate approach to the way that businesses handle personal data that they collect, control and/or process during the course of their work, recognising that we're not working under normal circumstances and that the usual checks and balances that we might carry out at work aren't going to be performed to the same standard – for obvious reasons.

Their site, which includes a number of key Covid-19 Q&As for businesses and individuals, emphasises that homeworking (including where employees are using personal devices) isn't something that the data protection laws preclude – thank goodness!

However, businesses are still expected to assess the risks that may be created from these arrangements, and to do what's reasonable to mitigate them. The usual rules still apply to direct marketing activities too.

According to the ICO,

“We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period… [and]…we will tell people through our own communication channels that they may experience understandable delays in making information requests during the pandemic.”

---

Telling others about a Covid-19 case among your staff

Many businesses, especially those supporting essential services and keyworkers (but others too) are still operating and their staff aren't able to work remotely.

It’s not something we’ve ever really needed to think about – but now, if a member of staff self-isolates with Covid-19 symptoms or reports in sick with a confirmed case of Covid-19, managers will need to inform other staff (who may also need to self-isolate), and they may need to inform other people, like customers, suppliers, or those the individual concerned may have had direct contact with.

In those situations, it may be unavoidable to share the identity of that individual with those direct contactees, but it should be avoided wherever possible.

Businesses should consider carefully whether it's always necessary to identify the individual concerned. The regulators have issued guidance that, as far as possible, individual identities shouldn't be disclosed.

Data relating to health is a special category under the UK’s data protection laws and it requires special care – and extra measures need to be taken when processing this data, including when disclosing to others.

In some instances (such as explaining to a wider employee base, a supplier or customer why a particular team is self-isolating and therefore alternative arrangements for taking deliveries or organising collections are needed, or that self-isolation is required), shouldn't necessitate the naming of the particular employee who reported in the symptoms or concerns.

Collecting and recording health data relating to Covid-19 status

As businesses, we’re duty bound to monitor employee health and safety, including their mental wellbeing, and that’s particularly hard in a remote working environment.

And we still need to ensure that the questions we ask our staff, the records we make, and the personnel we share employee personal data relating to their health and any Covid-19 status with, is carefully and securely handled.

We shouldn't be collecting or recording more data than is strictly needed (don't use Covid-19 as an excuse to collect excessive and unnecessary data), and we should absolutely ensure that we record any decisions made in relation to these data clearly, contemporaneously and, again, securely.

Make sure your privacy notice for employees covers the collection and uses of personal data, including health data and, in the case of health data, that it sets out the lawful reasons for using this sensitive data under data protection laws.

---

Is it ok to monitor staff’s working practices during this period?

Many employers will choose to rely on evidence of productivity during this period and aim to be reasonably flexible – especially with children and other dependents being at home, needing supervision/assistance during normal working hours, which is a challenge for even the best organised and efficient among us.

But is it permitted to monitor employee activity more scientifically?

Even before Covid-19, the area of employee monitoring is a particularly complex one! Employee monitoring can be particularly intrusive, so care needs to be taken when considering this.

Before carrying out monitoring of any kind, the company should carry out a detailed impact assessment to set out the risks attached to the monitoring and to evaluate those risks. This may also help to identify less-intrusive ways employee monitoring could be undertaken.

Any monitoring must also be proportionate (i.e. whether the reason for monitoring is sufficient to justify the potential intrusion into an individual’s life, and whether the means used to monitor are proportionate).

Following the impact assessment and before conducting any monitoring of any sort, you need to inform employees about the monitoring, including to tell them:

• what information may be obtained
• why it is being collected and used, and
• who will have access to that information

On that last point, only a very limited number of staff should have access to the information.

The above information could be provided to employees via an update to your employee privacy notice and any electronic communications policy.

During Covid-19, homeworking, employees may be operating differently and using different devices than they normally would use…

Are employees using company-provided electronic devices during this period, or are they using their own? If the latter, then a further data impact assessment should be carried out, as the risk of intrusion into private lives could be much higher.

We’d recommend employers remind employees who are homeworking of the business’ policy wording, if any, relating to monitoring, so the employees can ensure they understand what's expected of them, and, also, what may occur in relation to the monitoring of their activities and the rationale for doing so.

Worries about rogue employees or unsanctioned activity

Thanks to a recent Supreme Court ruling affecting Morrisons supermarket, employers won’t be held liable for the actions of rogue employees whose activities weren't closely connected to the acts the employee was authorised to do as part of their ordinary course of employment.

But how does that play out here, where employees are out of sight and under significant pressure to carry on supporting their jobs and avoiding lay-offs, furloughing or redundancy? Can employers really ensure that employees stick within the right boundaries?

The answer is that we should be doing all that we reasonably can. That includes reminding staff of their compliance duties and ensuring they can still access, and have read and understood, your compliance policies and procedures.

A team video call to remind everyone how they need to be conducting themselves in any interactions with others, or recording of data, is a good idea; and it will give staff the opportunity to ask questions that can be answered and debated efficiently for everyone’s benefit.

Perhaps also consider issuing a top dos and don’ts list for key matters arising as a result of homeworking.

---

The rules apply as usual to communications made during this period. (See Helen’s usual guide on this topic on Farillio.)

Covid-19 doesn't change these rules.

Take care when including any kind of marketing or sales messages in virus-related communications. If you need a customer’s details (for example to process a cancellation refund, to reschedule deliveries, or to check visitors when they come on site), limit the personal data you request for these purposes to the bare minimum that you need to take that action, and nothing more.

---

People and their practices are often your business’ weakest link when it comes to data compliance and protecting your business against cybercrime.

The following steps will help you to counteract these vulnerabilities.

It’s also worth taking a look at the recently published NCSC’s guidance for businesses with staff working from home during this period, including on how to protect mobile devices:

• Policies and know-how: Make sure your staff can easily locate – and have refreshed their memories on – your data protection and data asset management policies. Ensure they understand the rules as they apply them to their homeworking practices and when using their own personal devices to do work. If you need to update your policies, there's some clear and helpful guidance from the NCSC on staff using their own equipment here

• Limiting personal data requests, as usual: If they continue to make calls, interact with customers and other third parties, it’s essential that, whatever device and software you may have approved them to use during this period, they're still only asking for, using and recording, personal data that's essential to the lawful performance of their duties and that they're acting in compliance with your policies

• All anti-virus software must be up to date: Ensure this is still the case where employees are using their own equipment/devices to work from home, because business equipment isn't readily available. (If it is, only business equipment should be used). Employees should also be asked to ensure that their home routers and WiFi connections are properly password protected and secure

• Right versions of accounts and software, with all the right access protections and practices: Make sure that, even via their own devices, employees are logging into the business versions of your email and operating systems software, not free/individual account versions of it. These are not as secure and they may not be backing data up where they should, or would, if the employee was working off workplace equipment

  • Free versions aren't always secure: It’s always worth cross-checking the free versions of data transfer and other software, these are typically not as secure as paid-for versions

  • New services and due diligence requirements: Many of us are downloading and experimenting with apps and software that we haven’t used before, including video-conferencing facilities. Do ensure that these are secure versions and that you conduct your usual diligence on these providers, to be confident they’re reliable and conform to the UK’s GDPR data protection and data processing rules. If you’re not sure, ask to see their terms, ask them to confirm their UK data protection compliance status, and aside from their compliance status, a quick internet search of reviews and will often give you a fair idea of general security strengths and weaknesses. Alternatively, take some advice before recording or sharing anything confidential when using this software/these tools

  • Staff with network/systems administrator rights: Those to software and/or systems that your business is using may need additional security protocols in place for their access and set up

  • Passwords and user names: Should continue to be protected in the best way possible; services like 1Password make this very straightforward and enable teams to share log-ins and payment details etc. securely and without communicating them to each other by potentially less-secure communications channels. Proper passwords should always be used. The National Cyber Security Centre has some great guidance on how to create these, if you're not using a password-generating service like 1Password.

  • Encryption: Make sure devices being used also encrypt data at rest, and that encryption is turned on and properly configured, given that staff are more likely to lose, damage or have their devices stolen when out of the office. (Broadly, there are two types of data: data in motion and data at rest. Data in motion (or ‘active data’) is data that you most likely use on a daily basis. It is usually stored on a database that’s accessed through apps or programs. Data at rest is stored, less often used, and is usually protected by a firewall or anti-virus software.) You may well need to take expert advice on this to guide staff about the best means to achieve this and then to ensure it has been done

  • Backing-up: back-up your important data to protect it from loss due to accident or a ransomware attack. The method of backup should also be secure and not permanently connected to the device that holds your original copy of that data. Make sure you know how to restore your system from back-up as well

  • Portable devices and extras: Anything downloaded and stored to USB, or portable hard-drives, also kept at home, should be securely locked away, inaccessible by any other members of the household

• Security from other household members: Equipment being used by employees for work while they are grounded at home should be secure from viewing or ‘interference’ by other members of the same household, so that personal data belonging to colleagues, customers and others can't be accessed by them.

  • Logging out and passwords: Equipment should be shut down properly and only re-accessed with secure password protection each time. Passwords to equipment and to apps and business-related accounts shouldn't be shared
  • Shared equipment: If equipment is being shared, employees must be required to log out of any email or apps accounts each time and before handing the equipment over to someone else to use

• Not personal accounts: Employees shouldn't be using personal email accounts to carry out their work duties

• Records, transfers, and no paper: Where possible, paper records shouldn't be kept on employee personal premises. And any transfer of physical records between employees and the office, or between themselves, should be treated as an absolute exception and secure, well-known and respected courier services used

• Retention and destruction of data: Records should be destroyed according to your usual rules on data retention. In the home environment, employees should take special care that they are shredding or otherwise destroying any material containing personal data that's no longer required, and certainly not, for example, throwing documents out with the domestic waste into household rubbish bins

• Loss, damage, destruction of data by accident – what’s the plan?: Equally, you should make sure you have a plan in case any data is accidentally lost, destroyed or damaged, whether electronically, or in physical format and to this end remind your employees about your data breach guidelines and policies

• Phishing and scams: The way we’re remote working also lays us at risk, as much as ever, to hackers, viruses and, of course, the ‘phishers’, the incidents of which are on the rise. Be twice as wary as usual of emails from sources you do not recognise, including (perhaps especially) those with Covid-19 in the subject title.

Phishing is where cyber criminals trick people via email into providing them with confidential information. They do this by pretending to be a business that the recipient would be likely to trust.

For example, they may send an email pretending to be your bank who needs your passwords, or they pretend to be an ecommerce store asking for you to update your payment details – or, right now, they may capture your attention by mentioning Covid-19 as a reason for you needing urgently to take the action they’re requesting.

The World Health Organisation and other highly respected organisations, such as HMRC have recently been mimicked by phishers. Emails from these institutions are said to offer Covid-19 safety advice or allocated tax refunds, but when opened/clicked, they infect the user’s device with criminal software that directs user somewhere where they are asked to input valuable personal data.

Phishing emails may also contain attachments that, when clicked on, adds something to the user’s computer that then copies their confidential data. This is known as ‘malware phishing’. Follow the guidance in our short cybercrime guide to counteract these incidents as effectively as you can. The NCSC also has some helpful additional guidance for users on how to spot the tell-tale signs of phishing.

If you think you've opened a phishing email or accidentally clicked a suspicious link, immediately run a scan of your device using your antivirus software and follow the instructions that it gives you. Employees should alert their managers, or the relevant IT resource that this has happened. If any passwords may have been compromised, make sure you change these immediately too.

Employers and their designated data protection responsible managers may also need to alert their bank, the ICO (if personal data may have been exposed) and Action Fraud; so take advice if you're not sure how to handle what has happened.

• Who’s in charge?: Make sure staff know to whom they should report any questions, problems or concerns